An Efficient Formulation of the Real

644
IEEE TRANSACTIONS ON COMPUTERS,
VOL. 62,
NO. 4,
APRIL 2013
An Efficient Formulation of the Real-Time
Feasibility Region for Design Optimization
Haibo Zeng, Member, IEEE, and Marco Di Natale, Senior Member, IEEE
Abstract—In the design of time-critical applications, schedulability analysis is used to define the feasibility region of tasks with
deadlines, so that optimization techniques can find the best design solution within the timing constraints. The formulation of the
feasibility region based on the response time calculation requires many integer variables and is too complex for solvers. Approximation
techniques have been used to define a convex subset of the feasibility region, used in conjunction with a branch and bound approach
to compute suboptimal solutions for optimal task period selection, priority assignment, or placement of tasks onto CPUs. In this paper,
we provide an improved and simpler real-time schedulability test that allows an exact and efficient definition of the feasibility region in
Mixed Integer Linear Programming (MILP) optimization. Our method requires a significantly smaller number of binary variables and is
viable for the treatment of industrial-size problem, as shown by the experiments.
Index Terms—Real-time systems, schedulability analysis, mixed integer linear programming
Ç
1
INTRODUCTION
T
HE design of complex embedded real-time systems is
subject to many requirements and constraints, including
limited resources, cost, performance of control algorithms,
and energy consumption. In hard real-time systems, the
design space (or the feasibility region) must satisfy the
schedulability constraints, requiring that tasks (or threads,
scheduled on CPUs) complete before their deadlines.
Formally, the design optimization problem can be represented by parameters, decision variables, constraints, and
objective functions. The decision variables represent the set
of design choices under the control of the designers. The set
of constraints defines the feasibility region, the domain of
the allowed values for the decision variables. Also, an
objective function characterizes the optimization goal.
Sometimes the problem is quite simple, for example,
when the only design variables are task priorities and there
is no optimization metric. Thus, the designer simply needs a
feasible solution, which may be provided by a simple policy
or algorithm. For example, in uniprocessor systems with
preemptive scheduling where tasks are independent and
their deadlines are smaller than the periods, the Deadline
Monotonic (DM) priority assignment is optimal.
Practical design problems, however, are typically much
more complicated. Even if we only consider the problem
of optimal priority assignment, there are many examples
where finding the optimal solution is of exponential
complexity (and DM is no longer guaranteed to be optimal):
. H. Zeng is with the Department of Electrical and Computer Engineering,
McGill University, Room 633, McConnell Engineering Building, 3480
University Street, Montreal, Quebec H3A 0E9, Canada.
E-mail: [email protected].
. M. Di Natale is with the TECIP Institute, Scuola Superiore S. Anna, via
Moruzzi 1, Pisa 56124, Italy. E-mail: [email protected].
Manuscript received 27 Oct. 2010; revised 23 Dec. 2011; accepted 30 Dec.
2011; published online 16 Jan. 2012.
Recommended for acceptance by S.H. Son.
For information on obtaining reprints of this article, please send e-mail to:
[email protected], and reference IEEECS Log Number TC-2010-10-0594.
Digital Object Identifier no. 10.1109/TC.2012.21.
0018-9340/13/$31.00 ß 2013 IEEE
systems with nonpreemptive scheduling [7] or in
which tasks share resources [16];
. systems in which the designer seeks an optimal
solution that maximizes robustness (for example,
defined as the difference between the deadline and
the worst case response time) [10]; and
. systems in which preemption thresholds are used to
optimize stack memory usage [8].
In addition, there are design problems in which multiple
control loops are scheduled on the same processor and the
objective function to be optimized is the overall control
performance [5] [23].
In general, the optimal design can be obtained by solving
an optimization problem where the system performance is
maximized within the feasibility region. This approach has
been used in several works to optimize the design of realtime systems, e.g., [6] [27] [28]. In this paper, we will use a
Mixed Integer Linear Programming (MILP) framework. An
MILP problem in standard form is
.
minimize
subject to
cT X
AX b
X 0;
ð1Þ
where X ¼ ðx1 ; . . . ; xn Þ is a vector of positive real, integer,
or binary-valued decision variables. MILP problems can be
solved very efficiently by a variety of solvers. In this paper,
we discuss two sets of optimization variables, the worst-case
execution times, and the task priorities..
We highlight two contexts in which the priority assignment problem cannot be formulated in a trivial way because
of additional design variables or constraints. The first
problem instance is especially relevant for real-time
systems-on-a-chip, in which the amount of RAM memory
used by the system stack can be reduced by selectively
disabling preemption [8]. Preemption can be disabled by
artificially imposing critical sections on the task segments
that require large amounts of stack space or, alternatively,
by using preemption thresholds. In both cases, the problem
is defined as the optimal assignment of priorities and
Published by the IEEE Computer Society
ZENG AND DI NATALE: AN EFFICIENT FORMULATION OF THE REAL-TIME FEASIBILITY REGION FOR DESIGN OPTIMIZATION
possibly preemption thresholds such that schedulability is
guaranteed and the memory required by the system is
minimized. The second problem instance occurs in the
context of model-based development flows. The design
problem consists of mapping the actions of functional
blocks onto tasks and of the assignment of priorities to
tasks. The objective is to define a task model that is feasible
with respect to deadlines, preserves the communication
flows with respect to the model semantics, and minimizes
the amount of memory required for the wait-free buffers
implementing the communication. We elaborate the problem with an automotive case study in Section 9.3.
There are at least three representative scenarios where the
worst case task execution times are design variables. The first is
when the designer can choose among multiple versions of
the same algorithm, such as in some control applications,
including fuel injection systems. The fuel and air intakes
need to be controlled together with the injection time in the
combustion chamber to optimize the efficiency of the engine
(torque produced) and minimize pollutants. The control
algorithm has several tasks activated with a rate that
depends on the revolution speed of the engine shaft. At
low speeds, the interarrival time is relatively large and
sophisticated versions of the control algorithms are used. At
higher speeds, schedulability is at risk and less complicated
(and faster) versions of the controls are used. The selection of
which version of the control algorithm to use at each engine
speed can be a quite complex problem. The second scenario is
dynamic voltage scaling, or at least the class of voltage
scaling solutions where the processor clock can be assigned
at design time to each task. In this case, the execution time of
a task may change according to the clock and voltage
selected for its execution. The problem is to minimize the
energy consumed by the system while keeping all task
response times within the deadlines. The third scenario
occurs in model-based design flows. The behaviors associated with the model blocks or components (Runnables in
AUTOSAR or step functions in Simulink) need to be mapped
into tasks. In multicore systems, there can be many mapping
options. A runnable with period Ti can be mapped into any
task with the same period or a submultiple of it (Tj ¼ Ti =k
with the runnable executing once every k activations) on any
core. Depending on the mapping decisions, the worst case
task execution times may be different.
In the formulation of the optimization problem, the
definition of the feasibility region based on the computation
of task response times allows an exact formulation only with
a very large set of integer or binary variables (see Section 2.1).
This makes the problem practically impossible to solve in
reasonable amount of time for industrial-size systems.
In this paper, we provide an improved formulation of
the feasibility region for single-processor priority-based scheduling, with a much smaller number of disjunctive linear
constraints. The new test is marginally important as an
analysis method (current methods already allow to deal
with extremely large task sets), but it is of fundamental
importance for an exact and efficient formulation of the
real-time feasibility region in an optimization process.
Our new method extends previous work on schedulability
analysis based on the request bound function. The request
bound function of a task i in t 0, rbfi ðtÞ, is defined as the
maximum cumulative execution time required by i in any
time interval of length t. In [11], a task i with deadline Di not
larger than its period Ti is demonstrated to be feasible if and
645
only if there exists at least one time instant t Di when the
available CPU time in ½0; t is larger than, or equal to the time
required for execution
Pby i and higher or equal priority tasks
(the set heðiÞ), that is, j2heðiÞ rbfj ðtÞ t. For each task i , only
time instants belonging to a set S i need to be considered for a
necessary and sufficient condition. In [11], S i is given as the
set of integer multiples of the periods of the tasks with higher
priority than i that are no greater than Di . Satisfaction of any
of these linear constraints for t 2 S i demonstrates feasibility
of i . In other words, the feasibility region of i can be defined
by a set of disjunctive linear constraints, which can be
expressed in an MILP formulation by adding a set of binary
variables (see Section 3).
A large set S i requires the use of many such binary
variables. This makes the solution of the optimization
problem difficult or even impossible for large-size designs.
We show how the set of points that need to be checked for
feasibility can be substantially reduced with respect to the
previous work in [11], [2].
We provide theory and algorithms for the computation
of a set of nonredundant points to represent the feasibility
region. All the algorithms presented here are to be performed
offline as part of the design optimization process.
We performed several experiments to show the effectiveness and applicability of our method. The first experiment uses randomly generated task sets to evaluate the
algorithm complexity and the effectiveness in the reduction
of points. The method is then applied to an automotive fuel
injection system, to compute the schedulable solution
within the memory constraint and with minimum latencies.
The computation time of a reduced set of points for this case study
is several seconds, but it saves hours of runtime in the following
optimization process.
Section 2 provides an introduction to the definition of the
feasibility region and refers to results in the literature.
Section 3 discusses the new formulation of the feasibility
region and the improvement with respect to existing tests.
Sections 4 and 5 present the theory and algorithms to find
nonredundant test sets. The use of our formulation for the
optimization of the priority assignment is discussed in
Section 6. Section 7 defines an extension to the case of tasks
sharing critical sections. Systems with preemption threshold scheduling are addressed in Section 8. Section 9 shows
the application to random task sets as well as to an
industrial case. Finally, we draw conclusions in Section 10.
2
DEFINITION OF THE FEASIBILITY REGION
Consider a set of n periodic tasks ¼ fi ¼ ðCi ; Di ; Ti Þ : i ¼
1; . . . ; ng scheduled by fixed priority on a uniprocessor system
with Di Ti . A task i is characterized by design parameters, such as its period Ti and deadline Di . It also
involves design variables subject to optimization, such as its
priority, or its worst case execution time Ci . For example,
the worst case execution time of a task can be approximated
by the sum of the worst case execution times of the
functions called by the task. This is especially true for tasks
generated from models, where the task body consists of
calling the system reactions
mapped into it. Thus, Ci can be
P
expressed as Ci ¼ k i;k !k , where !k is the worst case
execution time of the kth reaction, and i;k is 1 if i
implements the reaction (and 0 otherwise). We denote the
vector of the Ci of all tasks as C, the vector of the priority
orders pi;j as P (see Section 2.1), and the vectors of periods
and deadlines as T and D, respectively.
646
IEEE TRANSACTIONS ON COMPUTERS,
In this work, the periods T and deadlines D are always
parameters. The design variables X can be the computation
times X C, the priority order X P, or both.
Definition 1. The feasibility region M
Mi ðÞ of task i 2 ,
simply denoted as M i , is the region of the design variables
X 2 X where i is schedulable, i.e.,
M
Mi ðÞ ¼ fX 2 X
X : i is schedulableg:
ð2Þ
Definition 2. The task set is schedulable if and only if every
task in the set is schedulable. The feasibility regionTM
MðÞ of
the task set , simply denoted as M
M, is defined as ( stands
for the set intersection)
\
M i ðÞ: ð3Þ
M ðÞ ¼ fX 2 X : is schedulableg ¼
i 2
2.1 Response Time-Based Formulation
The feasibility region for i can be expressed by comparing
its worst case response time ri to the deadline Di . ri is given
by the well-known formula
X
ri ¼ C i þ
Ij;i Cj Di ;
ð4Þ
j2hpðiÞ
where hpðiÞ is set of tasks with priority higher than i , and
Ij;i is the integer number of interferences by j on i
ri
:
Ij;i ¼
Tj
Ij;i can also be expressed using the linear bounds
ri
ri
Ij;i < þ 1:
Tj
Tj
If the priority assignments are design variables, then a
set of binary variables is defined to encode the priority
order: pj;i is defined as 1 if the priority of j is higher than
the priority of i , and 0 otherwise. Equation (4) can be
reformulated as
X
ri ¼ Ci þ
pj;i Ij;i Cj Di ;
ð5Þ
j6¼i
where j spans over all the other tasks in the system. The
formula is not a linear constraint because of the product
pj;i Ij;i . However, an additional set of integer variables j;i
can be used to transform the problem into a linear one as in
(6), even if (5) can be handled by most solvers [27]. Here, M
is a constant larger than any Ij;i and it is typically used (as
“big M” formulation) to encode alternative constraints that
depend on a binary variable (the value of pj;i makes one of
the constraints trivially true)
X
ri ¼ C i þ
j;i Cj Di
j6¼i
Ij;i Mð1 pj;i Þ j;i Ij;i
0 j;i Mpj;i :
ð6Þ
If the worst case task execution times are also optimization variables, other linearization techniques could be used
[17]. This formulation of the response time has been
proposed in several research works, including [27] and
VOL. 62,
NO. 4,
APRIL 2013
[15] where the feasibility problem is part of the design
optimization based on a SAT-solver. The corresponding test
is exact, but requires a possibly large number of integer
variables (in the order of n2 , where n is the number of
tasks). Solving the MILP problem in feasible time is
impossible for medium and sometimes small size systems.
In the cited research works, alternative solutions based
on the approximation of the response times have been used.
Linear upper and lower bounds r"i and r#i can be obtained
by upper and lower bounding the ceiling function and
"
#
using real values for Ij;i
¼ Trij þ 1 and Ij;i
¼ Trij , respectively.
#
"
A linear combination r~i ¼ ri þ ð1 Þri of these bounds
with coefficient 2 ½0; 1Þ is used to optimize the task
periods in [6] and the task and message placement and
priority assignment in [27].
A tighter upper bound can be obtained by using the
definition of the load executed at higher priority in [4]
X "
r"i Uj ri þ Cj ð1 Uj Þ ¼ Ci :
ð7Þ
j2hpðiÞ
Other feasibility tests, especially utilization based, have
been developed for single-processor systems. They could be
used to obtain a subset of the feasibility region and a
suboptimal solution. In some systems, possibly with many
tasks and a performance function with small variations,
they could be viable. Of course, they don’t guarantee the
global optimum and, depending on the task set, the region
obtained with a sufficient test could be significantly smaller
than the exact feasibility region. An estimate of the
pessimism can be obtained with reference to the utilization-based hyperbolic bound in [2], which is not convex
(therefore, not easily usable for optimization purposes), but
is the best bound that can be found using the task
utilizations. Its schedulability gain with respect
pffiffiffi to the
classical Liu and Layland bound approaches 2 for large
task sets. Finally, and possibly most importantly, these tests
typically require knowledge of the priority assignment, therefore
cannot be used for the optimization of the priority assignment.
2.2 Request Bound Function-Based Formulation
The feasibility region M
M can also be determined using
constraints based on the request bound function. In the
following, we discuss the optimization of the worst case
execution time selection, that is, X C. The optimization of
the priority assignment is addressed in Section 6.
Since the load from higher priority tasks, as expressed by
the request bound function, can only change at integer
multiples of their periods, Lehoczky et al. [11] found that
the feasibility region M
Mi can be expressed as
8
9
<
=
_ X t
C
:
t
M
Mi ðÞ ¼ C 2 IRþ
j
n
:
;
Tj
t2S i j2heðiÞ
ð8Þ
[
Di
where S i ¼ kTj : j 2 hpðiÞ; k ¼ 1; . . . ;
fDi g:
Tj
W
S
Here, stands for the logic OR operation and represents
the union of sets. The definition of the function
t
j ðtÞ ¼
Tj
t
ð9Þ
ZENG AND DI NATALE: AN EFFICIENT FORMULATION OF THE REAL-TIME FEASIBILITY REGION FOR DESIGN OPTIMIZATION
647
TABLE 1
An Example with Four Tasks
allows to rewrite the feasibility condition for i at each point
t 2 S i in a much simpler way
X
j ðtÞCj 1:
ð10Þ
j2heðiÞ
Each such inequality represents the case where the total
request from task i and higher priority tasks within ½0; t is
no greater than t. If this is true at any point t 2 S i (which
implies t Di ), then i completes no later than t; thus, it is
schedulable. The feasibility region of i is the union of
subspaces defined in the positive quadrant IRþ
n by the set of
(linear) inequalities on the C variables with parameters T
and D for t 2 S i . In general, the feasibility region is a nonconvex
polytope. Furthermore, for large task set, the number of
points in S i may be very large.
Bini et al. [2] showed that only a subset (denoted as
P i ðDi Þ) of the points in S i needs to be considered for a
sufficient and necessary test.
Theorem 1. Assuming task indices are assigned according to
priorities (lowest index for highest priority), the feasibility
region
V M of task set where Di Ti for each task i is given
by ( is the logic AND)
8
9
<
=
^ _ X
j ðtÞCj 1 ;
M ðÞ ¼ C 2 IRþ
n :
:
;
2 t2P ðD Þ j2heðiÞ
i
i
i
where P i is defined as
(
P 1 ðtÞ ¼ ftg
j k
S
t
Ti1
P i1 ðtÞ:
P i ðtÞ ¼ P i1 Ti1
ð11Þ
Compared to S i , the number of points in P i ðDi Þ (or simply
P i ) is reduced so that the feasibility analysis becomes faster
than the methods based on response time analysis [1], [21].
Example. Consider the example of Table 1 with four tasks
indexed by priority (lowest index for highest priority) and
with deadlines equal to their periods. For each i , P i is a
(much smaller) subset of S i , especially for the last task.
However, the set P i is still redundant. We show how a
smaller set can be computed for a necessary and sufficient
feasibility test, or an exact representation of the feasibility
region. The computation of this reduced set requires an
algorithm that can be too complex to overcome any possible
advantages if used as an analysis tool. However, it can be
very useful for the definition of a feasibility region for
design optimization purposes: a much smaller set can be
computed statically once and for all, and the resulting
efficient formulation of the exact feasibility region saves
significant time in the optimization process. In addition,
(11) cannot be used for the optimization of the priority
assignment, given that knowledge of the priority order is
needed to identify the points in P i .
Fig. 1. The system feasibility region as the intersection/union composition of the point regions of the tasks.
3
IMPROVING THE REPRESENTATION OF THE
FEASIBILITY REGION: FORMULATION
As a generalization of (8) and (11), the feasibility region of i
with constrained deadline Di Ti can be defined using a
set of points I i (possibly redundant). I i can be S i as in (8),
or P i ðDi Þ as in (11)
\
M
MðÞ ¼
M
Mi ðÞ
i 2
M
Mi ðÞ ¼
8
<
:
C 2 IRþ
n :
9
=
j ðtÞCj 1 :
;
j2heðiÞ
_ X
t2I i
ð12Þ
We denote each of the halfspaces defined by one of the
linear inequalities in (12) as
8
9
<
=
X
j ðtÞCj 1 :
ð13Þ
IFi ð; tÞ ¼ C 2 IRþ
n :
:
;
j2heðiÞ
IFi ð; tÞ, or simply IFi ðtÞ, is called a point region as it
corresponds to a time point t. Then, the feasibility region
can be expressed as
\ [
M
M¼
IFi ðtÞ:
ð14Þ
i 2 t2I i
Fig. 1 provides a graphical representation of the system
feasibility region. It is the intersection of the task regions,
which are in turn the union of the point regions.
We index the points tj;m 2 I j in increasing order, such
that tj;0 denotes the smallest, and tj;mj 1 the largest, where
mj ¼ jI j j. We use kj ¼ dlog2 mj e binary variables bj;k ; k ¼
0; . . . ; kj 1 to encode these mj constraints. The following
function associates a binary encoding for each variable bj;k
with the constraint on point tj;m
if ðm bitwise-AND 2k Þ ¼ 0
bj;k
ð15Þ
Ej ðm; kÞ ¼
1 bj;k otherwise:
Thus, the disjunction on constraints that define the
schedulability of j can be encoded using the standard
“big-M” formulation for conditional constraints (M is a
constant larger than any other quantity involved in the
constraint). For all j , j ¼ 1 . . . n
8
kX
j 1
>
X
>
> 8t 2 I ;
>
ðt
ÞC
1
þ
M
Ej ðm; kÞ
j;m
j
i
j;m
i
>
<
k¼0
i2heðjÞ
ð16Þ
kX
j 1
>
>
>
>
ð2k bj;k Þ mj 1:
>
:
k¼0
648
IEEE TRANSACTIONS ON COMPUTERS,
VOL. 62,
NO. 4,
APRIL 2013
Fig. 2. Orthogonal projection views of IF3 ð4Þ and IF3 ð8Þ.
All the constraints in the first set of inequalities are trivially
true except the one for which the values of the binary
variables match the corresponding index. The bottom
constraint in (16) ensures that the binary encoding does
not exceed the maximum index of the points.
Given the dependency of the number of binary variables on the
number of constraints, our objective is to remove redundancy in
I i , by checking whether the removal of the points (and the
corresponding point regions) changes the feasibility region.
We define three types of redundancies:
System-level point redundancy. For any p 2 I i , if the
resulting region M
M after removing p from I i is the
same as M
M, then p is system-level redundant.
. System-level task redundancy. For any task i , if the
resulting region M
M after removing all points in I i is
the same as M , then i is system-level redundant.
. Task-level point redundancy. For any p 2 I i , if the
resulting region M
M
i after removing p from I i is the
same as M
Mi , then p is task-level redundant.
The first two types require the formulation of the
feasibility region of other tasks. The third is a subset of
the system-level point redundancy: any point that is tasklevel redundant is also system-level redundant. However,
its identification is much faster. In the following, we
provide methods to efficiently remove these redundancies.
.
4
TASK-LEVEL POINT REDUNDANCY
The points in I i correspond to linear inequalities that are
OR-combined to define the feasibility region M
Mi of i . It is
therefore possible to remove all the points that define point regions
contained in the union of the other regions (the satisfaction of
their constraints is implied by the satisfaction of constraints
on other points).
Fig. 2 shows the point regions IF3 ð4Þ and IF3 ð8Þ for task 3
in Table 1. It is clear that IF3 ð4Þ is fully contained inside
IF3 ð8Þ, thus point 4 is redundant. Also, from Fig. 3, although
neither IF4 ð48Þ nor IF4 ð50Þ contains IF4 ð44Þ, their union does.
Thus, point 44 can be removed from I 4 .
We now provide a lemma to detect feasibility regions
fully contained in other regions.
Lemma
2. Considering two regions
G ¼ fC 2 IRþ
n :
Pn
þ Pn
i¼1 gi Ci 1g and IH ¼ fC 2 IRn :
i¼1 hi Ci 1g. If all
the coefficients of the constraint defining G
G are componentwise
no smaller than IH, i.e., 8i ¼ 1; 2; . . . ; n, gi hi , then G is
contained in IH, or G
G IH.
Fig. 3. Orthogonal projection views of IF4 ð44Þ, IF4 ð48Þ, and IF4 ð50Þ. Axis
C1 is omitted.
Proof. For any C 2 G
G, since 8i, Ci 0 and gi hi ,
Pn
Pn
Pn
i¼1 gi Ci i¼1 hi Ci ¼
i¼1 ðgi hi ÞCi 0, thus
n
X
i¼1
gi Ci 1 )
n
X
hi Ci 1;
i¼1
G is also a
and C 2 IH. In other words, any member of G
member of IH.
t
u
Lemma 2 can be leveraged to reason about the containment relationship between the feasibility regions defined by
the points in I i . The simplest case is to check the
componentwise dominance between the coefficients associated with a pair of points p and q.
Theorem 3. The set of redundant points in I i includes every
point p for which there exists a point q such that
8j 2 heðiÞ; j ðpÞ j ðqÞ:
ð17Þ
Proof. By the definitions of IFi ðpÞ and IFi ðqÞ, it follows
Lemma 2 that if condition (17) is satisfied, then
u
t
IFi ðpÞ IFi ðqÞ. Thus, point p is redundant.
Example. In the task set of Table 1, the set of points that
need to be checked for the feasibility of 3 is reduced
from P 3 ¼ f4; 5; 8g to obtain I 3 ¼ f5; 8g since the pair
p ¼ 4; q ¼ 8 satisfies (17) (point 8 makes 4 redundant).
The following theorem extends Theorem 3 to a more
general case: a sufficient condition that the feasibility region
defined by a point p is contained in the union of the
feasibility regions defined by other points in I i .
Theorem 4. A point p 2 I i is redundant if for all the other points
qk 2 I i ; qk 6¼ p, there exists a solution ¼ ð1 ; . . . ; jI i j1 Þ
which satisfies the following constraints:
X
8
j ðqk Þk
>
> 8j 2 heðiÞ; j ðpÞ >
<X
k
ð18Þ
k ¼ 1
>
>
>
: k
8k; k 0:
ZENG AND DI NATALE: AN EFFICIENT FORMULATION OF THE REAL-TIME FEASIBILITY REGION FOR DESIGN OPTIMIZATION
P
Proof. Consider the region IH ¼ fC 2 IRþ
n :
j2hpðiÞ
P j Cj 1g
where the coefficient of the constraint j ¼ k k j ðqk Þ is
the affine combination of the coefficients associated with
points qS
k . We first prove that IH is a subset of the feasibility
region k IFi ðqk Þ by contradiction.
Suppose
S there exists a solution C such that C 2 IH,
and C 62 k IFi ðqk Þ. Then,
X
8k;
j ðqk ÞCj > 1:
j2heðiÞ
By multiplying each inequality (for one of the qk ) with
the corresponding k of the solution of (18) and adding
the left- and the right-hand sides for all qk , we obtain
X
X
X
X
X
k
j ðqk ÞCj ¼
Cj
k j ðqk Þ >
k :
k
j2heðiÞ
j2heðiÞ
k
k
P
By the definition of j and the fact
k ¼ 1, the
P that k above inequality is equivalent to j2heðiÞ j CjS> 1. This
contradicts the assumptionP
C 2 IH, thus IH k IFi ðqk Þ.
Since 8j 2 heðiÞ, j ðpÞ S k j ðqk Þk ¼ j , by Lemma 2,
IFi ðpÞ IH. Thus, IFi ðpÞ k IFi ðqk Þ, and point p is redundant.
u
t
Example. For 4 in the example of Table 1, the test at 44 is
redundant. The tests at points 44, 48, and 50 for 4 are
22
9
6
1
C
C
C
C
:
þ
þ
þ
1
IF4 ð44Þ ¼ C 2 IRþ
1
2
3
4
4
44
44
44
44
24
10
6
1
þ
IF4 ð48Þ ¼ C 2 IR4 : C1 þ C2 þ C3 þ C4 1
48
48
48
48
25
10
7
1
C
C
C
C
:
þ
þ
þ
1
:
IF4 ð50Þ ¼ C 2 IRþ
1
2
3
4
4
50
50
50
50
The following affine combination of IF4 ð48Þ and IF4 ð50Þ
6
5
IF4 ð48Þ þ IF4 ð50Þ
11 11
22
9
5:8
0:9
C
C
C
C
:
þ
þ
þ
1
¼ C 2 IRþ
1
2
3
4
4
44
44
44
44
specifies a region containing IF4 ð44Þ since the coefficients
in the constraint are no greater than the ones in the
constraint of IF4 ð44Þ. After applying Theorem 5, the set of
points is
The computation of the solutions to (17) or (18) can be
further simplified by checking only the subset of heðiÞ
with period less than Ti plus i itself.
Theorem 5. Equation (18) is true if the following condition is true:
X
8
S
T
j ðqk Þk
8j 2 ðheðiÞ fl : Tl < Ti gÞ fig; j ðpÞ >
>
>
<X
k
k ¼ 1
>
>
>
: k
8k; k 0:
ð19Þ
Proof. Since Ti is larger than or equal to any point in I i ,
from (9) it is i ðpÞ ¼ 1p and i ðqk Þ ¼ q1k . A solution to (19)
satisfies the first constraint for i , therefore
649
X k
1 X
i ðqk Þk ¼
:
p
qk
k
k
T
For task j 2 heðiÞ fj : Tj Ti g, we also have j ðpÞ ¼ 1p
and i ðqk Þ ¼ q1k . Hence, satisfaction of the constraint for i
also implies satisfaction of the constraint for j .
u
t
i ðpÞ ¼
Theorems 4 and 5 require knowledge of the set of higher
priority tasks. However, they can be used in a priority
assignment optimization at the price of some pessimism
(redundancy) by including all tasks in (17) and (18), instead
of those with higher or equal priority only (j 2 heðiÞ).
5
SYSTEM-LEVEL REDUNDANCY
The set of points that are nonredundant at task level should
be further reduced by finding all the points I R
i I i that are
redundant considering constraints on other tasks. Informally,
some points may define regions that are not contained in
the regions of the other points for the same task, but they
bring no contribution to the system feasibility region
because one or more other task is infeasible in this
additional portion of the solution space.
¼ Ii n IR
We define I NR
i
i . We consider two cases, one in
which the redundant points I R
i are a strict subset of I i
(system-level point redundancy), the other case is when the
entire set I i is redundant (system-level task redundancy).
Case 1. If I R
i I i , then we denote the regions defined
by
the
redundant
and S
nonredundant point sets as M R
i ¼
S
NR
F
ðtÞ
and
M
M
¼
IFi ðtÞ. Thus, I R
is redundant
R I
i
i
i
t2I i
t2I NR
i
if and only if M is not altered by its removal
\
\
MNR
M
Mj :
ð20Þ
M
M¼M
Mi M j ¼ M
i
j6¼i
j6¼i
S NR
MR
Since M
Mi ¼ M
M
Mi , the condition can be rewritten as
i
!
!
[
\
\
\
R
NR
M
Mi
MNR
M
Mj
M
Mj ¼ M
M
Mj
M
Mi
i
j6¼i
,
M
MR
i
\
j6¼i
M
Mj j6¼i
,M
MR
i
\
NR
M
Mi
M
MNR
i
\
\
j6¼i
Mj
ð21Þ
j6¼i
M
Mj ¼ ;;
j6¼i
NR
where M i denotes the complementary region of M NR
i .
Case 2. If I R
i ¼ I i (the feasibility of i is implied by that
of other tasks), then I R
i is redundant if and only if
\
\
\
\
M
Mi M j ¼
M
Mj ,
M
Mj M
Mi , M
Mi M j ¼ ;: ð22Þ
j6¼i
j6¼i
j6¼i
j6¼i
5.1 System-Level Point Redundancy
A point p 2 I i is system-level redundant if and only if the
region IFi ðpÞ is contained in the union of the regions for the
other points in I i where all the other tasks are schedulable.
Theorem 6. A point p 2 I i is nonredundant at system level if
and only if there exists a solution C such that
.
p is necessary for i to be feasible at C, i.e.
.
C 2 IFi ðpÞ
8q ¼
6 p 2 I i ; C 62 IFi ðqÞ
all other tasks j are schedulable at C.
650
Proof. It follows the definition of system-level point
redundancy. If I R
i ¼ fpg, the conjunction of the above
conditions is the same as the intersection on (21). The
solution C demonstrates that this intersection is not
empty.
u
t
In practice, we could search for a feasible solution C to
the following problem:
X
8
k ðpÞCk 1
C 2 IFi ðpÞ :
>
>
>
>
k2heðiÞ
>
>
X
>
>
>
k ðqi ÞCk > 1
>
< 8qi 6¼ p 2 I i ; C 62 IFi ðqi Þ :
k2heðiÞ
_ X
>
k ðtÞCk 1
8j 6¼ i; C 2 M
Mj :
>
>
>
>
t2I j k2heðjÞ
>
>
> the disjunction is encoded in
>
>
:
an MILP formulation using ð16Þ C 0:
ð23Þ
If such a problem has no solution, the point is redundant,
otherwise it is nonredundant.
The constraints C 0 can be tightened if additional
knowledge is available. For example, bounds on C can be
obtained considering all the possible task implementations.
If the feasibility region is defined for the optimal assignment
of priorities, then the C values may be fully determined
with a drastic reduction in the number of points.
Actually, only the subset of tasks with indices in fj :
Dj < Di g is needed to check the system-level point
redundancy for task i (as the third constraint in (23)).
Theorem 7. A point p 2 I i is nonredundant if and only if there
exists a solution to the following problem:
8
X
>
k ðpÞCk 1
C 2 IFi ðpÞ :
>
>
>
>
k2heðiÞ
>
X
<
k ðqi ÞCk > 1
8qi 6¼ p 2 I i ; C 62 IFi ðqi Þ :
ð24Þ
>
k2heðiÞ
>
>
>
>
Mj :
8j 6¼ i; Dj < Di ; C 2 M
>
:
F ormulated as in ð23Þ C 0:
IEEE TRANSACTIONS ON COMPUTERS,
VOL. 62,
NO. 4,
APRIL 2013
5.2 System-Level Task Redundancy
T
From (22), since M
M ¼ j 2 M
Mj , the region M
Mi does not
contribute to M if and only if the feasibility region of the
other tasks is a subset of M i . We first provide some simple
results to simplify the detection of redundant tasks.
Theorem 8. The lowest priority task n is nonredundant.
Proof. Consider C ¼ ð0; . . . ; 0; Dn þ Þ where > 0. At C, n
is not schedulable
T (C 62 M n ), butT all other tasks are
Mj ). Thus, j6¼n M j 6 M
Mn .
u
t
schedulable (C 2 j6¼n M
Theorem 9. Task i is redundant if a lower priority task has a
smaller or equal deadline (9j; i 2 hpðjÞ with Dj Di ).
Proof. If task j is schedulable, then i is also schedulable.
Mi and i is redundant.
u
t
Thus, M j M
Theorem 10. A task i is redundant if it is not the lowest priority
task and Di ¼ Ti ¼ lcmj2heðiÞ ðTj Þ.
Proof. 8j 2 heðiÞ, j ðTi Þ ¼ dTTji e T1i ¼ TTji T1i ¼ T1j . Also, 8p < Ti , p
and q ¼ Ti satisfy the condition (17); thus, the feasibility
P
C
region of i is M
Mi ¼ IFi ðTi Þ, which is j2heðiÞ Tjj 1. This is
a trivial necessary condition for feasibility and defines a
superset of the feasibility region of any task with priority
u
t
lower than i .
The main result that allows to define the procedure for
the removal of task redundancy is the following.
Theorem 11. A task i is nonredundant at the system level if and
only if there exists a solution C such that
.
.
i is not schedulable at C;
all the other tasks are schedulable at C.
Proof. The proof follows immediately from the definition of
system-level task redundancy.
From (22), a task is
T
Mi j6¼i M
Mj ¼ ;.
u
t
redundant if and only if M
The existence of such a solution C can be checked by the
feasibility of the following MILP problem:
8
X
>
Ck k ðqi Þ > 1; 8qi 2 I i
>
< C 62 M i :
k2heðiÞ
Proof. Only if. If p 2 I i is nonredundant, there exists a
solution C to (23) which is also a feasible solution to (24).
If. Assume there exists a solution C to (24). Consider
another solution C0 where Cj0 ¼ Cj , 8j 2 heðiÞ, and Cj0 ¼ 0,
8j 62 heðiÞ. C0 satisfies the first two set of constraints in (23)
as they only depend on the values of Cj ; 8j 2 heðiÞ.
We now prove C0 satisfies the third constraint of (23).
8j where Dj < Di , C0 2 M
Mj because C 2 M j and C0 is
componentwise C. 8j where Dj Di , since C0 2 IFi ðpÞ
and Cj0 ¼ 0, 8j i, task j with a deadline Dj Di must
Mj .
u
t
be schedulable at p, which implies C0 2 M
Example. The points to check in our example are further
reduced. Point 45 in the test set of 4 is redundant since
the corresponding problem (24) has no feasible solution.
Unfortunately, Theorems 6 and 7 cannot be applied for
priority optimization without changes, given that they
require knowledge of the priority order of tasks. In Section 6,
we will show how to overcome this limitation.
8j 6¼ i; C 2 M
Mj :
>
>
:
Formulation as in ð23Þ C 0:
ð25Þ
Example. For the example in Table 1, 1 is redundant since
it satisfies the condition in Theorem 10 and 2 is
redundant since there is no feasible solution for (25).
5.3 Overall Procedure
The previous conditions allow the removal of redundant
points without changing the feasibility region. The following Theorem 15 proves that the feasibility region after
removing all the redundant points does not depend on the
removal order of the individual redundant points or tasks,
as long as point redundancy (task- and system-level) is
removed before task redundancy.
The following lemma is used to prove that the feasibility
region does not change if point redundancy is removed
before task redundancy (step 1 in Theorem 15). This lemma
ZENG AND DI NATALE: AN EFFICIENT FORMULATION OF THE REAL-TIME FEASIBILITY REGION FOR DESIGN OPTIMIZATION
(with the other lemmas and Theorem 15) is based on set
theory. For our purposes, the sets are feasibility regions.
and M
MT
Lemma 12.
the feasibility
regions
2,
SGivenT
T
T M 1 , IF1R , M R , T
M
M
M
M
Þ
M
¼
M
M
,
then
M
if ðM
M1 IF
1R
R
2
1
2
1
R
T
M
M2 ¼ M 1 M 2 .
T
S
MRT M
as
MR Þ. Thus,
Proof.TM
M1 can beTrewritten
S M 1T ðM
T
M1 M
M1 SM
MR TM
ThereM2 ¼ ðM
MR M
M2 Þ ðM
M2 Þ: T
M
M1 M
Þ M
MR M 2 ¼
f o rT
e , i t m u sTt a l sTo b eS ðM
M1 T IF1RT
M2 ¼ ðM
MR M
MT2 Þ ðM
M2 Þ.
M1 M
M
MR M
M
M1 M
T1 M
M
MR M
The intersection of M 1 M
S2 (on the
T
T right-hand
M2 T
MR M
is
side) with the left-hand side
M1T IF1R Þ M
T ðM
M
M
M
¼
;,
and
M
M
clearly empty.
Hence,
M
M
1
R
2
1
T
T
M2 .
M
M2 ¼ M 1 M R M
u
t
In Lemma 12, IF1R and M
MR represent the feasibility
regions for a redundant
point Tand a redundant task,
S
T
MR M 2 , it is safe to remove
respectively, in ðM
M1 IF1R Þ M
MR .
IF1R before M
The following lemma shows that point redundancy can
be removed in any order (step 2 in Theorem 15).
M 2 , IFT
Lemma 13. Given
2R , and
S the feasibility
S regions
T
T M 1 , IF1R , T
IF2R
M
M
M
MT
M1 IF1RSÞ ðM
MT
Þ
M
¼
M
M
M
M3 , if ðM
2
3
1
2
3,
T
T
S
M3 ¼ M
M2 IF2R Þ
M2 M
M1 ðM
t h e n T ðM
M1T IF1R Þ M
M
M3 ¼ M 1 M 2 M 3 .
T
S
S
M2 IF2R Þ can be expanded as
Proof. ðM
M1 IF1R Þ ðM
\
\
\
\
[
[
[
M2 Þ ðM
ðM
M1 M
M1 IF2R Þ ðIF1R M 2 Þ ðIF1R IF2R Þ:
S
S
T
T
TheTequality
M1 IF1R Þ ðM
M
M3 and
T between ðM
T2 IFT2R Þ M
T
l i e s T IF1RT M
M1 T
M
M1 T M
M2 M
M3 i m p S
M2 M
M3 TM
M3 , T
M3 ¼ ðM
M2
M
M2 SM
t h u s TðM
M1 IF1R ÞT M
M2T M
M1 M
M2 T M
M3 Þ ¼ M
M2T M
M3 . S i m i l a r l y ,
M
M3 ÞT ðIF1RS M
M1T M
M2 IF2R Þ M
M3 ¼ M 1 M 2 M 3 .
u
t
M
M1 ðM
If IF1R and IF2R are redundant (point) regions in the
S
representation
M1
S of Tthe system feasibility region ðM
T
IF1R Þ ðM
M2 IF2R Þ M
M3 , then they can be removed in
arbitrary order.
The following lemma proves that task redundancy can
be removed in any order (step 3 in Theorem 15).
M2R , and TM , if M ¼
LemmaT14. For
M1R ,T M
T any regions M
M2R M
M, then M
M¼M
M1R M ¼ M
M2R M .
M
M1R M
T
T
T
MT
M
MM
M1R M M
M, t h eT
n
P r o o f .T S i n cT
e M 1R M
2R
M2R M
M ¼ M 1R M
M ¼ M. Likewise, M
M2R
M
M1R M
M
M¼M
M.
u
t
We now present the main result in this section.
Theorem 15. Given a set of redundant points I R ¼ fI R
1 I
g,
we
partition
the
indices
of
its
subsets:
I 1; . . . ; I R
n
n
A1 ¼ fi : I R
i ¼ ;g, i.e., no redundancy in I i ;
A2 ¼ fi : I R
i ¼ I i g, i.e., remove all points in I i (all
points are redundant, that is, the task is redundant);
R
. A3 ¼ fi : I R
i I i ; I i 6¼ ;g (a subset of the points is
redundant).
The set I R can be removed by first checking I R
i for i 2 A3 in
for
i
2
A
in
any
order.
any order, then I R
2
i
.
.
Proof. For any subset B f1; . . . ; ng of task indices, we
denote the corresponding feasibility region as M
MB ¼
T
regions M
MA1 ¼
Ti2B M i . Thus, we
T denote the feasibility
T
Mi , M
MA2 ¼ i2A2 M
Mi , M
MA3 ¼ i2A3 M
Mi .
i2A1 M
Step 1. The set I R can be removed by first checking
R
IR
i for i 2 A3 , then I i for i 2 A2 . This step follows
651
Lemma 12 by extending it to the general case of an
arbitrary number (possibly more than two) of tasks.
is a strict subset of I i . Hence,
8i 2 A3 , the set I R
S iNR
T
M
MA3 ¼ i2A3 ðM
M
Mi Þ. The conjunction can be exMR
i
MNR
panded resulting in 2jA3 j terms. We denote M
A3 ¼
T
NR
jA3 j
M
M
,
and
the
union
of
the
other
2
1
terms
as
i
i2A3
R S
NR
M
MR
M
.
The
union
of
the
two
gives
M
¼
M
.
By
A3
A3
A3
A3
definition, the simultaneous removal of all redundant
points I R
i ; i ¼ 1; . . . ; n does not change the feasibility
region
\
\
\
M
MA1
M
MA2
M A3 ¼ M A1
M
MNR
ð26Þ
A3 :
By (26) and Lemma 12 where we set M 1 ¼ M
MNR
A3 , IF1R ¼
R
MA2 , and M
M2 ¼ M A1 ,
M
MA3 , M R ¼ M
\
\
\
\
M A2
M
MA3 ¼ M
M
MA2
M NR
MA1
M
MA1
A3
\
ð27Þ
M
MNR
¼M
MA1
:
A3
This means that the point redundancies in I R
i for i 2 A3
can be removed before the task redundancies, and the
feasibility region remains the same during
the
\
\ process,
M
MA2
M
MNR
including the intermediate result M A1
A3 .
R
Step 2. The points in the sets I i ; i 2 A3 can be
removed in any order. This step follows by generalizing
Lemma 13 to any combination of point redundancies.
For any subset B I i , we denote the feasibility region
resulting from the disjunction
S of the regions defined by
the points p 2 B as IFi ðBÞ ¼ p2B IFi ðpÞ. Suppose we have
R
1
removed an arbitrary combination I R
i I i of the
R1
redundant points for tasks in A3 . We denote
IR
i n Ii
T
T
R2
MA2 M
MA3 ¼
as IT
is M A1 M
i . The
T feasibility
S region
R1 S
R2
M
MA1 M
MNR
ðI
Þ
I
F
ðI
ÞÞ.
MA2 i2A3 ðM
I
F
i
i
i
i
i
The conjunction on the right-hand side
T can
T be
M
expanded.
One
of
the
terms
is
M
M
A
A
1
2
i2A
S
T
T3
2
ðM
MNR
IFi ðI R
M A2
i ÞÞ, thus, it is a subset of M A1
i
M
MA3 . Likewise,
\
\
\
\
M A2
M
MNR
M
MA2
M
MA1
MA1
M NR
A3 ¼ M
i
M A1
\
\
M
MA2
M
MNR
i
[
i2A3
2 :
IFi I R
i
i2A3
T
T NR
T
T
However, M A1 M
MA2 M
MA3 and M A1 M
MA2 M
MA3
are the same by the definition of redundant points, hence
\
\
\
\
M A2
M
MA3 ¼ M
M
MA2
M NR
M
MA1
MA1
A
\
\
[ R 3
ð28Þ
NR
2
M
M
:
M
M
IF I
¼M
A1
A2
i
i
i
i2A3
Now, if we remove another arbitrary redundant
2
point p in any task in A3 , i.e., 8p 2 I R
j ; j 2 A3 , by applying
the same reasoning used to derive (28), we can prove that
\
\
\
\
M A2
M
MA3 ¼ M
M
MA2
M NR
MA1
M
MA1
A3
\
\ [ R NR
2
M
Mi
M
MA2
IFi I i
¼ M A1
i2A3 ;i6¼j
\
[ R
M
MNR
IFi I i 2 n fpg
j
\
\
[ R M
MNR
M
MA2
IFi I i 2 :
¼ M A1
i
i2A3
ð29Þ
652
IEEE TRANSACTIONS ON COMPUTERS,
The last equivalence of (29) says that the region does not
change by removing a combination of point redundancies for tasks in A3 , then removing the redundant point p
for j . Because (29) holds for an arbitrary p and any task
j 2 A3 , we can remove point redundancies one by one in
any order.
Step 3. The sets I i ; i 2 A2 can be removed in any
order. This step follows by extending Lemma 14 to the
case that any number of tasks is system-level redundant.
Suppose the redundancy from A3 is removed, and the
resulting
representation
of the feasibility region is
T
T
MA2 M NR
M
MA1 M
A3 . 8i 2 A2 , we consider an arbitrary
S
subset A02 A2 n fig, and denote A002 ¼ A2 n ðfig A02 Þ.
MA02 ,
By (27) and
M1R ¼ M
T Lemma 14, if we
T define M
Mi , and M ¼ M
MA002 M
MA1 M NR
M
M2R ¼ M
A3 ,
\
\
\
\
M NR
M A002
Mi M
MA02
M
MA1
A3
\
\
\
NR
M
MA3
M
MA002
M
Mi :
¼ M A1
Similarly,Tif we define M
M1R ¼ M
MA002 , M
M2R ¼ M
Mi , and
MNR
M
M¼M
MA1 M
A3 , by Lemma 14, we obtain
\
\
\
\
\
M
MNR
M
MA002
M
Mi ¼ M
M
MNR
M
MA002 : ð30Þ
M A1
MA1
A3
A3
Therefore, the feasibility region is not altered by removing task redundancy for the tasks with index in A02 , then
removing redundancy for task i . Because (30) holds for
an arbitrary i and any set A02 A2 n fig, we can remove
u
t
task redundancy for all tasks in A2 in any order.
The procedure to find a nonredundant set of points is
summarized in Algorithm 1. First, we reduce the task-level
point redundancy as in Theorem 3 (lines 2-6) and 5 (lines 711). Then, the system-level point redundancy is exhaustively
explored for each task i and each point p 2 I i by checking
the feasibility of (24) (lines 13-19). After applying Theorems 9
and 10 (lines 20-24), the system-level task redundancy is
removed by checking the feasibility of (25) (lines 25-29).
Algorithm 1. Remove redundancy from the test set for 1: for each task i do
2:
for each p 2 I i do
3:
if 9q > p which satisfies (17) then
4:
I i ¼ I i n fpg
5:
end if
6:
end for
7:
for each p 2 I i do
8:
if (19) is feasible then
9:
I i ¼ I i n fpg
10:
end if
11:
end for
12: end for
13: for each task i do
14:
for each p 2 I i do
15:
if 6 9C which satisfies (24) then
16:
I i ¼ I i n fpg
17:
end if
18:
end for
19: end for
20: for each task i except the lowest priority one do
21: if 9j; ði 2 hpðjÞ and Dj Di Þ or Di ¼ Ti ¼ lcmj2heðiÞ Tj
then
VOL. 62,
NO. 4,
APRIL 2013
22:
Ii ¼ ;
23:
end if
24: end for
25: for each task i do
26:
if 6 9C which satisfies (25) then
27:
Ii ¼ ;
28:
end if
29: end for
Our algorithm gives a set of nonredundant points by
starting from an initial (redundant) set, such as the set P i
[2]. There is currently no guarantee that the produced set is
unique or consequently it contains the minimum number of
points. For a full-dimensional convex polytope, the minimal
halfspace representation is in fact unique and is given by
the set of facet-defining halfspaces [9]. Our conjecture is that
the nonredundant set of the (nonconvex) feasibility region
provided here is unique. As a support to this conjecture, we
did not find any counterexample in the experiments.
Unfortunately, there is no decisive answer whether the
problem of finding a nonredundant representation for the
feasibility region is NP-complete. The problem of finding a
nonredundant representation for a nonconvex polytope is
known to be strongly NP-hard. The complexity of our
algorithm depends on the number of points in the initial set,
and in the worst case the number of points in P i [2] is
exponential to the number of tasks/periods. But, of course,
there might be a more efficient algorithm than ours.
6
OPTIMIZING THE PRIORITY ASSIGNMENT
The definition of the set P i in [2] and the identification of
system-level redundancy presented in the previous section
require knowledge of the task priority assignment, which
makes them unsuitable when the assignment of priorities
is among the optimization variables. In this section, we
discuss how to remove some, but not necessarily all the
system-level redundancy regardless of the priority assignment. The method is based on the observation that,
because of the optimality of the deadline-monotonic
priority assignment when Di Ti , the feasibility region
defined by any priority order is a subset of the feasibility
region defined by the DM assignment.
Algorithm 2 describes the overall procedure to find a
sufficient test set for S
task i . We consider the set of tasks
Di ¼ fm : Dm < Di g fi g with deadline smaller than i
plus itself. First, a starting set I m is identified for each task
m 2 Di by following the rules for S m in (8) assuming that
all the tasks with smaller period than m (the only ones that
can generate points in S m ) have higher priority than m .
Then, task-level point redundancy is removed for m by
checking the conditions in (17) and (18). This is done also
with the pessimistic assumption that all the tasks with
smaller period than m have higher priority than m . Finally,
system-level point redundancy from I i is removed by
checking the feasibility of (24) where ¼ Di . We assume
priorities are assigned to tasks m 2 Di by DM. Since the
condition that a point is nonredundant includes that all
tasks 2 Di other than i are schedulable, a DM assignment
to Di avoids removing a point that is possibly nonredundant in any priority assignment.
ZENG AND DI NATALE: AN EFFICIENT FORMULATION OF THE REAL-TIME FEASIBILITY REGION FOR DESIGN OPTIMIZATION
Algorithm 2. Find a sufficient test set for task i for any
priority assignment
S
1: Di ¼ fm : Dm < Di g fi g
2: for each task m 2 Di do
S
3:
I m ¼ fkTj : Tj < Tm ; k ¼ 1; . . . ; bDTmj cg fDm g
4:
for each p 2 I m do
5:
if 9q 6¼ p which satisfies (17) assuming hpðmÞ ¼
fj : Tj < Tm g then
6:
I m ¼ I m n fpg
7:
end if
8:
if (18) is feasible assuming hpðmÞ ¼ fj : Tj < Tm g
then
9:
I m ¼ I m n fpg
10:
end if
11:
end for
12: end for
13: Assign priorities to tasks 2 Di using
deadline-monotonic policy
14: for each p 2 I i do
15:
if 6 9C which satisfies (24) where ¼ Di then
16:
I i ¼ I i n fpg
17:
end if
18: end for
The correctness of Algorithm 2 in the sense that the
resulting test set I i for task i is sufficient for any fixed
priority assignment can be formally demonstrated.
Theorem 16. For any priority assignment to , Algorithm 2
computes a sufficient test set I i for i .
Proof. Step 1. For any priority assignment, 8m 2 Di , I m ¼
S
fkTj : Tj < Tm ; k ¼ 1; . . . ; bDTmj cg fDm g is a sufficient test
set. It is an immediate consequence of the derivation of
the set S m in [11], also referred here as (8). The request
bound function only changes at multiples of the task
periods and only needs to be considered up to Dm . If
Tj Tm , then bDTmj c bTTmj c 1, i.e., any integer multiple
of Tj either equals Dm or is too large to be considered.
Step 2. The task-level redundancy removal from I m
does not change M m ; thus, the resulting test set is still
sufficient to define M m . This directly follows Theorem 4.
Moreover, we reduce the task-level redundancy from I m
based on the set of tasks in fj : Tj < Tm g, which is a
superset of fj : j 2 hpðmÞ; Tj < Tm g for any priority
assignment in Theorem 5; thus, the satisfaction of (17)
and (18) with hpðmÞ ¼ fj : Tj < Tm g is a sufficient
condition to prove p 2 I m is task-level redundant.
Step 3. By the optimality of the DM priority assignment, assignment, if any static priority scheduling
algorithm can meet all T
the deadlines, so will DM. Hence,
Mj obtained by a DM
the feasibility region j2D nfi g M
i
assignment to Di nfi g is a superset of the feasibility
region under any other priority assignment.
Step 4. As in (24) (third constraint), to check whether a
point p 2 I i is redundant, it is sufficient to check the
schedulability of tasks fj : Dj < Di g. For the conditions
in (24) where ¼ Di , if i is infeasible for p 2 I i with a
DM assignment to fj : Dj < Di g, it is also infeasible
under any other priority assignment. Thus, it is safe to
u
remove p from I i when (24) is infeasible under DM. t
653
The resulting test set from Algorithm 2 represents the
exact feasibility region regardless of the priority assignment,
but is possibly redundant.
7
SCHEDULING WITH BLOCKING TIMES
Our definition of feasibility region applies to fully preemptive periodic task sets executed independently. However,
tasks may share resources such as physical devices, or logical
resources like data structures for communication using
critical sections protected by mechanisms with bounded
blocking time like the Priority Inheritance protocol or the
Priority Ceiling protocol [20], included (in its immediate
form) in the OSEK operating system standard [18].
In the priority ceiling protocol, each resource is assigned
with a ceiling priority as the highest priority among tasks
accessing it. The worst case blocking time Bi for i with
priority i is the duration of the longest critical section from
a lower priority task j on a resource shared with i or a task
with priority higher than i (a resource with a ceiling
priority no lower than i )
Bi ¼ max max j;k ;
j2lpðiÞ
k
ð31Þ
where lpðiÞ is the set of tasks with lower priority than i ,
and j;k is the duration of the critical section of task j on the
shared resource Rk with a ceiling no lower than i .
Once the worst case blocking time is formulated, the
exact schedulability condition can be extended by adding
the blocking term Bi to the task execution time [20]
t
Cj t:
ð32Þ
9t Di ; Bi þ Ci þ
Tj
Theorem 1 can be extended to consider blocking times [2].
Theorem 17 (from [2]). Assuming task indices are assigned
according to their priorities, the task set where Di Ti is
schedulable if and only if
^ _
X t
Cj t:
Bi þ
ð33Þ
Tj
2 t2P ðD Þ
j2heðiÞ
i
i
i
Our main results can be easily extended to the case with
blocking times. When the design variable only includes C,
the Bi terms (as computed in (31)) are constant when the
size and type of the critical sections are not affected by the
optimization result (the selected task implementation). For
example, critical sections may be library functions, or their
implementation only depends on the communication data
and is independent from the versions of the control
algorithms. If the blocking times depend on the optimization variables, these dependencies need to be encoded as
additional constraints in the problems (24) and (25).
When also optimizing the priority assignment, assignments, Bi depends on the priority level. This dependency
must be encoded with additional constraints and used
during the point/task reduction for the definition of the
feasibility region. An MILP formulation of the Bi term can
be done as follows: A binary parameter Uj;k is defined as 1 if
task j uses resource Rk and 0 otherwise. A binary variable
pi;j is defined as 1 if i has a higher priority than j . Also, a
set of real-valued constants j;k indicates the length of the
critical section executed by j on Rk . By these definitions,
654
IEEE TRANSACTIONS ON COMPUTERS,
Bi ¼ max j;k where ðUj;k ^ pi;j Þ ^ ðUh;k ^ ph;i Þ ¼ 1:
h6¼i;j6¼i;k
Given that the U values are constant, the terms on which
the maximum is computed can be 0 or the product
j;k pi;j ph;i . This term can be directly handled by some
solvers, but can also be linearized as follows.
The product xb of a real variable x and a binary variable b
can be reformulated with a real variable y and the
additional constraints x Mð1 bÞ y x and 0 y Mb (M is a constant greater than the upper bound of x).
As for the max function, the generic definition Y ¼
maxi fyi g can be simply translated to a set of constraints
Y yi for all the possible yi , when Y only appears on the
left-hand side of “ ” constraints, and the cost function (to
be minimized) is monotonically nondecreasing with Y .
Otherwise, a more complex formulation is required: an
additional binary variable ai is associated with each yi ,
which is defined as 1 if Y ¼ yi , and 0 otherwise. The relation
Y ¼ maxi fyi g is formulated by the constraints
8i; yi Y yi þ Mð1 ai Þ
X
ai ¼ 1:
i
Finally, the term Bi in (32) and (33) can be replaced by an
upper bound Bub (the largest critical section in the system)
to achieve a sufficient-only condition.
8
PREEMPTION THRESHOLD SCHEDULING
Preemption may be selectively disabled among tasks using
several methods. The most popular is the preemption
threshold [24] supported by the ThreadX kernel [22]. A
preemption threshold scheduling model may have several
practical motivations, including improving the schedulability of lower priority tasks, reducing the required
amount of stack space, and improving predictability of
the worst case execution time by preventing context
switches in places that heavily affect cache line reuse.
8.1 Analysis of Tasks with Preemption Thresholds
For a task i with priority i (higher values correspond to higher
priorities), the preemption threshold is defined as i i . A
task i can preempt another task j only if its priority i is
higher than j . This means that a higher priority task may
wait for a lower priority (but higher preemption threshold)
task to finish execution. Therefore, the worst case blocking
time for task i is the maximum execution time of the lower
priority tasks (j < i ) with a preemption threshold (i j )
Bi ¼ max Cj :
j <i j
VOL. 62,
NO. 4,
ð34Þ
The response time analysis for tasks with preemption
threshold was proposed in [24] and later fixed in [19]. Tasks
are scheduled with two different modes. When ready, they
are scheduled with their priority, but as soon as they start
execution, they behave as if their priority is raised to the
preemption threshold. Accordingly, the analysis is performed in two steps. First, the worst case start time is
computed. Then, the worst case finish time. The worst case
start time Si and finish time Fi of the first instance of i can
be calculated by the following [24]:
Si
1þ
Si ¼ Bi þ
Cj
T
j
j2hpðiÞ
X Fi Si
1
Cj :
Fi ¼ Si þ Ci þ
Tj
Tj
>
APRIL 2013
X j
ð35Þ
i
Unfortunately (as explained in [19]), the first instance is
not necessarily the one with the largest response time. All
instances in the busy period of level i need to be
considered. The start time and finish time for the instances
q ¼ 0; 1; . . . ; q in the busy period are
X Si ðqÞ
Cj þ qCi
1þ
Si ðqÞ ¼ Bi þ
Tj
j2hpðiÞ
ð36Þ
X Fi ðqÞ
Si ðqÞ
Fi ðqÞ ¼ Si ðqÞ þ Ci þ
1
Cj :
Tj
Tj
>
j
i
The worst case response time of i is computed as Ri ¼
maxq¼0;...;q fRi ðqÞ ¼ Fi ðqÞ qTi g, where q ¼ bLTii c is the largest index in the level-i busy periodPLi . Li can be calculated
by the iterative formula Li ¼ Bi þ j2heðiÞ dLTji eCj .
From (36), the amount of workload from higher priority
tasks before the completion of i depends on the finish time
Fi as well as the start time Si .
The need to consider the first q instances, together with
the fact that the number q is not known a priori, results in
excessive complexity for optimization purposes. Given that
the linearization of the exact feasibility region is exceedingly
complex, we look for lower and upper bounds corresponding, respectively, to sufficient-only (pessimistic) and necessary-only (optimistic) conditions.
Pessimistic and optimistic tests can be used for the
definition of lower and upper bounds to the feasibility
region, which can be used inside procedures for finding
good quality solutions to the optimization problem. For
example, the optimum solution can be found with a local
search starting from the two optimum points (on the upper
and lower bounds). With luck, the optimum on the upper
bound could be feasible so that it would be the optimal
solution to the problem. With respect to this possibility, it is
important to estimate how optimistic the necessary test is,
and how far apart are the three region boundaries. The
experimental section will discuss this issue.
There is an additional limitation to the study on
preemption thresholds. The definition of the region in the
domain of the priority assignment is complicated due to the
dependency of the preemption thresholds on the priority
levels. We do not have a solution for this problem, and the
only optimization variable discussed for this model is C.
8.1.1 A (Pessimistic) Lower Bound on the Feasibility
Region in a Preemption Threshold Scheduling
Model
A sufficient condition for the schedulability of i is that i is
schedulable assuming it is fully preemptive, i.e., its
preemption threshold is the same as its priority.
Theorem 18. Assuming task indices are assigned according to
their priorities, the task set where Di Ti is schedulable if
X t
^ _
Cj t;
Bi þ
ð37Þ
Tj
2 t2P ðD Þ
j2heðiÞ
i
i
i
ZENG AND DI NATALE: AN EFFICIENT FORMULATION OF THE REAL-TIME FEASIBILITY REGION FOR DESIGN OPTIMIZATION
655
where Bi is computed as in (34). The set P i ðDi Þ can be
reduced using the same method as in the fully preemptive
case. The formulation of the blocking time requires the
additional constraints Bi Cj , 8j 2 fj : j < i j g. These
constraints do not need additional binary variables, since
the term Bi is only involved in the left side of the “ ”
constraints in (37) with positive coefficients.
(39), there must be at least one local minimum of i ðsÞ
and i ðs; fÞ less than or equal to 1.
Local minima of S
i belong to the set S i ¼ fðkTj Þ jj 2
Di
hpðiÞ; k ¼ 1; . . . ; b Tj cg fDi g. Hence,
X _
s
Bi þ
1þ
ð40Þ
Cj s:
T
j
s2S j2hpðiÞ
8.1.2 An (Optimistic) Upper Bound on the Feasibility
Region in a Preemption Threshold Scheduling
Model
A necessary condition for the schedulability of task i is that
its first instance in the busy period is schedulable.
The representation of the feasibility region requires
computing pairs of points ðs; fÞ, where s and f are possible
start and finish times. The following theorem extends (8) to
preemption threshold scheduling, and defines conditions
for the feasibility of the first instance in the busy period.
Local minima of i belongs to the set F i , thus
X X f _
s
Bi þ
1þ
Cj þ
Cj þ Ci f: ð41Þ
Tj
Tj
f2F i
j2hntðiÞ
j2htðiÞ
Theorem 19. The feasibility W
region M
Mi for the first instance of i
is expressed as C 2 IRþ
n :
ðs;fÞ2I i
8
X s
>
>
>
Cj < s
B
þ
>

>
>
C
C
þ
þ
þ
C
f;
B
j
j
i
>
: i
T
T
j2hntðiÞ
j
j2htðiÞ
j
where the sets I i , S i , and F i are defined as the set of candidate
point pairs, start and finish times for i , respectively.
I i ¼ fðs; fÞ : s 2 S i ; f 2 F i ; s fg
[
Di
fDi g
S i ¼ kTj : j 2 hpðiÞ; k ¼ 1; . . . ;
Tj
[
Di
fDi g:
F i ¼ kTj : j 2 htðiÞ; k ¼ 1; . . . ;
Tj
The set htðiÞ ¼ fj : j > i g represents the set of tasks with
priority higher than the preemption threshold of i , and hntðiÞ ¼
fj : i < j i g ¼ hpðiÞnhtðiÞ represents the complement of
htðiÞ with respect to hpðiÞ.
Proof. In order for the first instance of i to be schedulable,
there must exist a pair of points s f Di such that the
instance can start before or at s and finish before or at f
X s
Cj s
Bi þ
1þ
T
j
j2hpðiÞ
ð39Þ
X X f s
Cj þ
Cj þ Ci f:
1þ
Bi þ
Tj
Tj
j2hntðiÞ
j2htðiÞ
i
fs
The equivalence 1 þ bsTj c ¼ dTsj e holds true for all points
s ¼ kTj . Therefore, (40) and (41) can be replaced by (38),
which concludes the proof.
u
t
For convenience, we denote the halfspace defined by the
linear inequality in (38) associated with the request bound
function for the start and finish times as
8
9
<
=
X s
Cj < s
SSi ð; sÞ ¼ C 2 IRþ
n : Bi þ
:
;
Tj
j2hpðiÞ
8
<
X s
þ
IFi ð; s; fÞ ¼ C 2 IRn : Bi þ
Cj
:
Tj
j2hntðiÞ
9
=
X f þ
Cj þ Ci f :
;
Tj
j2htðiÞ
T
Their intersection is I i ð; s; fÞ ¼ S i ð; sÞ IFi ð; s; fÞ. The
short notations SSi ðsÞ, IFi ðs; fÞ, and IIi ðs; fÞ are used for
S i ð; sÞ, IFi ð; s; fÞ, and IIi ð; s; fÞ, respectively. Thus, the
feasibility region of i is
[
[ \
M
Mi ¼
IIi ðs; fÞ ¼
ð42Þ
S i ðsÞ IFi ðs; fÞ :
ðs;fÞ2I i
ðs;fÞ2I i
8.1.3 Removing Redundancy in the Point Pairs Defining
Start and Finish Times
The reduction of point pairs involves a more complicated
definition of the possible types of redundancy:
.
.
We define the following functions:
P
Bi þ j2hpðiÞ 1 þ Tsj Cj
i ðsÞ ¼
s
P
P
Bi þ j2hntðiÞ 1 þ Tsj Cj þ j2htðiÞ Tfj Cj þ Ci
i ðs; fÞ ¼
:
f
.
i ðsÞ and i ðs; fÞ are strictly decreasing with respect to s
except for points in S i . i ðs; fÞ is strictly decreasing with
þ
respect to f except
points in F þ
i ¼ fðkTj Þ jj 2 htðiÞ;
S for
þ
Di
þ
k ¼ 1; . . . ; b Tj cg fDi g, where ðkTj Þ denotes a number
infinitely close, but still larger than kTj . Thus, to satisfy
.
.
.
Task-level finish time redundancy. For any finish time
M
f 2 F i , if the resulting region M
i after removing f
Mi .
from F i is the same as M
Task-level start time redundancy. For any start time
s 2 S i , if the resulting region M i after removing s
Mi .
from S i is the same as M
System-level start time redundancy. For any start time
s 2 S i , if the resulting region M after removing s
M.
from S i is the same as M
Task-level point pair redundancy. For any start/finish
M
time pair ðs; fÞ 2 I i , if the resulting region M
i after
Mi .
removing ðs; fÞ from I i is the same as M
System-level point pair redundancy. For any start/
M
finish time pair ðs; fÞ 2 I i , if the resulting region M
after removing ðs; fÞ from I i is the same as M .
System-level task redundancy: for any task i , if the
resulting region M after removing all points in I i is
the same as M
M.
656
IEEE TRANSACTIONS ON COMPUTERS,
In the following, we develop theorems to find these
redundancies. The proofs of some theorems are omitted as
they are similar to those provided for the preemptive case
in Sections 4 and 5. Proof details can be found in [25].
Finding task-level finish-time redundancy. Each candidate finish time f 2 F i only defines the second linear
constraint as in IFi ðs; fÞ. Since the regions IFi ðs; fÞ for each
pair ðs; fÞ are OR-ed to define the feasibility region of i , to
prove f is redundant, it is sufficient to prove that for any
s 2 S i , the region IFi ðs; fÞ is contained in the union of all
other regions IFi ðs; gÞ, g 2 F i ; g 6¼ f.
Theorem 20. A point f 2 F i is redundant if for all other points
gk 2 F i ; gk 6¼ f, there exists a solution ¼ ð1 ; . . . ; jF i j1 Þ
which satisfies the constraints
X
8
S
j ðgk Þk
>
8j 2 htðiÞ fig; j ðfÞ >
>
<
k
X
ð43Þ
k ¼ 1
>
>
>
k
:
8k; k 0:
P
Proof. 8s 2 S i , we define Gi ¼ Bi þ j2hntðiÞ dTsj eCj þ Ci .
Given that f Di Ti ¼) i ðfÞ ¼ f1 dTfi e ¼ f1 , the second
inequality in (38), which defines the halfspace IFi ðs; fÞ, is
P
then rewritten as i ðfÞGi þ j2htðiÞ j ðfÞCj 1.
As in Theorem 4, if (43) admits a solution, then the
region IFi ðs; fÞ is contained inside the union of the
IFi ðs; gk Þ regions
S defined by all other points gk 2 F i , i.e.,
8s; IFi ðs; fÞ k IFi ðs; gk Þ.
Hence, 8s 2 S i , the region IIi ðs; fÞ is contained by the
union of the regions IIi ðs; gk Þ defined by the other pairs
u
t
ðs; gk Þ, and f can be safely removed from F i .
A theorem similar to Theorem 3 can be derived for the
reduction of the finish time candidate points.
Theorem 21. The set of redundant points in F i includes all
points f for which there exists another point g such that
[
ð44Þ
8j 2 htðiÞ fig j ðfÞ j ðgÞ:
Finding task-level start-time redundancy. Each start time
s 2 S i defines both linear constraints in (38). Consequently,
the condition for establishing the redundancy of s are more
stringent than those for finish times. To safely remove s
from S i , not only the region SSi ðsÞ must be contained in the
union of the halfspaces SSi ðtÞ for a subset of points t in S i ,
but IFi ðs; fÞ should be contained in the regions IFi ðt; fÞ for
the same set of points t.
Theorem 22. A point s 2 S i is redundant if for all other points
tk tkmax , tk 6¼ s, there exists a solution ¼ ð1 ; . . . ; tkmax Þ
which satisfies the following constraints:
8
kmax
X
>
>
>
> 8j 2 heðiÞ j ðsÞ j ðtk Þk
>
>
<
k¼1
kmax
ð45Þ
X
>
>
¼
1
k
>
>
>
>
: k¼1
8k; k 0;
where tk 2 S i are indexed by increasing order, and
tk
s
kmax ¼ max 8j 2 hntðiÞ;
:
k
Tj
Tj
ð46Þ
VOL. 62,
NO. 4,
APRIL 2013
Finding system-level start-time redundancy. The set of start
times that are nonredundant at task level can be further
reduced by removing all the points that are made
redundant by the feasibility region of other tasks.
Theorem 23. A point s 2 S i is system-level redundant if there is
no solution C such that (kmax is defined as in (46))
.
.
.
C 2 SSi ðsÞ
8tk tkmax ; tk 6¼ s; C 62 S i ðtk Þ
all other tasks j are schedulable at C.
The feasibility region M
Mj of task j can be formulated as
in the fully preemptive case. kj ¼ dlog2 mj e binary variables
are used to encode the mj ¼ jI j j constraints (one for each
point pair in I j ). The function Ej ðm; kÞ in (15) associates the
values of the variables bj;k with each constraint on a point
pair ðsj;m ; fj;m Þ.
8ðsj;m ; fj;m Þ 2 I j ;
8
kX
j 1
X sj;m >
>
>
C
þ
<
s
þ
M
Ej ðm; kÞ
B
>
j
i
j;m
>
>
Ti
>
k¼0
i2hpðjÞ
>
>
>
>
X sj;m X fj;m >
>
>
>
Ci þ
Ci þ Cj fj;m
B þ
>
< j
Ti
Ti
ð47Þ
i2hntðjÞ
i2htðjÞ
Pkj 1
>
>
þ M k¼0 Ej ðm; kÞ
>
>
>
>
>
k
1
j
>
X
>
>
>
ð2k bj;k Þ mj 1
>
>
>
>
k¼0
>
:
8i 2 fi : i < pij i g; Bj Ci :
Finding task-level point pair redundancy. A point pair ðs; fÞ
is task-level redundant if the removal of the associated
feasibility region IIi ðs; fÞ does not change the feasibility
region M i of i or, alternatively
[
IIi ðs; fÞ M
M
I i ðs0 ; f 0 Þ:
i where M i ¼
ðs0 ;f 0 Þ2I i
ðs0 ;f 0 Þ6¼ðs;fÞ
Theorem 24. A point pair ðs; fÞ 2 I i is nonredundant at task
level if and only if there exists a solution C such that ðs; fÞ is
necessary for i to be feasible at C, i.e.,
.
.
C 2 IIi ðs; fÞ
8ðsi;m ; fi;m Þ 6¼ ðs; fÞ 2 I i ; C 62 IIi ðsi;m ; fi;m Þ.
The first condition can be formulated using the following
two constraints (according to the definition of I i ðs; fÞ).
8
X s
>
>
> Bi þ
Cj < s
>
<
Tj
j2hpðiÞ
ð48Þ
X s
X f >
>
>
Cj þ
Cj þ Ci f:
Bi þ
>
:
Tj
Tj
j2hntðiÞ
j2htðiÞ
The second condition is equivalent
to C 62 I i ðsi;m ; fi;m Þ
S
i ðsi;m ; fi;m Þ. This can be
() C 2 Ii ðsi;m ; fi;m Þ ¼ SSi ðsi;m Þ IF
verified by setting up a linear programming problem as
follows: A binary variable bi;m is associated with each point
pair ðsi;m ; fi;m Þ 6¼ ðs; fÞ 2 I i
1 if C 2 SSi ðsi;m Þ
ð49Þ
bi;m ¼
i ðsi;m ; fi;m Þ:
0 if C 2 IF
Thus, 8ðsi;m ; fi;m Þ 6¼ ðs; fÞ 2 I i
ZENG AND DI NATALE: AN EFFICIENT FORMULATION OF THE REAL-TIME FEASIBILITY REGION FOR DESIGN OPTIMIZATION
8
X si;m >
>
>
Cj þ Mð1 bi;m Þ si;m
B
þ
>

>
>
C
Cj þ Ci þ Mbi;m > fi;m :
B
þ
þ
j
>
: i
T
T
j
j2hntðiÞ
j
j2htðiÞ
ð50Þ
A total of mi ¼ jI i j 1 binary variables are required to
encode the infeasibility of these mi point pairs.1
Contrary to the previous case (34), the constraints in (50)
define conditions for nonfeasibility and the terms Bi appear
on the left-hand side of “ ” constraints with positive
coefficient. We use a binary variable ai;j for each task j with
j 
>
< 8j 2 fj : j 
a
¼
1:
i;j
>
:
j:j 
>
>
< 8ðs ; f Þ 6¼ ðs; fÞ 2 I ;
i;m
i;m
C 62 IIi ðsi;m ; fi;m Þ :
>
>
>
: Bi ¼ max Cj :
j:j <i j
i
Formulated as in ð50Þ
Formulated as in ð51Þ:
Finding system-level point pair redundancy. For the point
pair ðs; fÞ, the feasibility region I i ðs; fÞ is system-level
redundant if its removal does not change the system
feasibility region M
M. It is equivalent to prove that
\
[
\
IIi ðs; fÞ M j M
M where M
M ¼
IIi ðs0 ; f 0 Þ M
Mj :
j6¼i
ðs0 ;f 0 Þ2I i
ðs0 ;f 0 Þ6¼ðs;fÞ
j6¼i
Theorem 25. ðs; fÞ 2 I i is nonredundant at system level if and
only if there exists a solution C such that
.
ðs; fÞ is necessary for i to be feasible at C, i.e.,
.
C 2 IIi ðs; fÞ
8ðsi;m ; fi;m Þ 6¼ ðs; fÞ 2 I i ; C 62 IIi ðsi;m ; fi;m Þ.
all other tasks j are schedulable at C.
The existence of such a solution C can be checked by the
feasibility of the following MILP problem:
8
Formulated as in ð48Þ
C 2 IIi ðs; fÞ :
>
>
> 8ðs ; f Þ 6¼ ðs; fÞ 2 I ;
>
>
i;m
i;m
i
<
C 62 I i ðsi;m ; fi;m Þ : Formulated as in ð50Þ
>
Formulated as in ð51Þ
Bi ¼ max Cj :
>
>
>
j:j 
:
Formulated as in ð47Þ:
8j 6¼ i; C 2 M
Mj :
T
Finding system-level task redundancy. Since M ¼ j 2 M
Mj ,
the region M
Mi does not contribute to the definition of M if
and only if the feasibility region of the other tasks is a subset
of M
Mi .
Theorem 26. i is nonredundant at the system level if and only if
there exists a set of execution times C such that
1. It can be improved by grouping together the point pairs with the same
start time.
.
.
657
i is not schedulable at C.
all other tasks j are schedulable at C.
The existence of such a solution C can be checked by the
feasibility of the following MILP problem:
8
>
< 8ðs; fÞ 2 I i ; C 62 IIi ðs; fÞ : Formulated as in ð50Þ
Bi ¼ max Cj :
Formulated as in ð51Þ
j:j 
:
Formulated as in ð47Þ:
8j 6¼ i; C 2 M
Mj :
9
EXPERIMENTAL RESULTS
We performed experiments to assess the effectiveness and
efficiency of our algorithm in reducing the set of points.
First, we discuss the case of fully preemptive systems by
applying our method to randomly generated task sets, then
to an automotive case study. Next, we provide experimental
results for the extension to task sets with blocking times and
with preemption thresholds.
9.1 Random Task Sets, Preemptive Case
We generate applications consisting of random sets with
n ¼ 5 to 33 tasks. The systems are assumed to be fully
preemptive. One thousand sets are generated and then
examined for schedulability for each n. The periods of the
tasks are generated by the product of one to three factors,
each randomly drawn from three harmonic sets (2, 4),
(6, 12), (5,10). This generates periods belonging to at most
three harmonic sets, as is the case for most applications of
practical interest. In one set of experiments, deadlines are
assumed equal to periods. In another set, deadlines are
randomly selected between T =2 and T for each task.
Priorities are assigned to tasks according to the deadlinemonotonic policy, since it has the largest feasibility region
among all the fixed priority scheduling policies, and it is
likely to require the largest number of points. We compare
the number of points to be checked for the lowest priority
task and for the entire set.
We start from the set I i ¼ S i in (8). Of course, if we start
from the set I i ¼ P i , the number of points at each intermediate step of redundancy reduction is smaller and the
runtime of Algorithm 1 is shorter. The resulting nonredundant set is the same regardless of the starting set, or the
ordering of the tasks i or points p 2 I i in the algorithm.
In the case of the 1,000 runs on 10-task systems with
deadline equal to period, these are the results. For the
lowest priority task, only one point needed to be checked
in 14.3 percent of the cases, 2 in 24.8 percent of the cases,
4 points in 48.3 percent of the cases, and 8 points in
80.8 percent of the cases. As a comparison, when using P i
[2], no more than four and eight points provide an exact
test in 29.2 and 49.6 percent of the cases, respectively. For
the schedulability of the whole task set, the total number of
points are compared in Fig. 4. On average, the number of
points in the nonredundant set is 54 percent less than what
is required by the method in [2].
When considering sets from 5 to 33 tasks, Fig. 5 shows the
amount of redundancy detected by our method with respect
to the sets P n and P of [2] for the lowest priority task (dark
line) and the entire task set (light line), respectively. The
nonredundant sets computed by Algorithm 1 are I n and I.
For sets of more than 20 tasks, we limited the running time
of the solver for each MILP problem to 60 seconds, indicated
658
Fig. 4. Number of points for checking feasibility of all tasks (10-tasks
sets).
Fig. 5. Percentage of redundancy found in P n and P.
by the dashed lines in Fig. 5. In general, the percentage of
detected redundancy increases with the number of tasks.
For the first set of experiments where D ¼ T , the percentage
of redundancy in P increases from 43.24 percent for n ¼ 5 to
74.49 percent for n ¼ 20. Despite the runtime limitation, up
to 84 percent redundancy is found for sets with 33 tasks. The
second set of experiments, with D T , has similar
percentage of reduction to P n and P. In all cases, S n is
found to contain more than 99 percent redundant points and
S is more than 97 percent redundant.
9.2 Algorithm Complexity
Our algorithm consists of a first stage, in which task-level
redundancy is removed, and a second stage, for removing
system-level redundancy. The first stage is based on the
checking of a set of simple inequalities (Theorem 3) or the
solution of linear programming problems (Theorem 5). This
can be checked in a very short time (linear-programming
problems are solvable in polynomial time). The second
stage requires solving a very large number of problems in
(24) and (25). To check the feasibility of (24) and (25) for task
i , it requires an exact formulation of the feasibility region of
other tasks j . Thus, having a first stage which reduces
many of the redundant points allows a compact formulation of the feasibility region in the second stage. These
problems are solved using CPLEX 11.0 on a machine with
an Intel Pentium 3.2 GHz CPU and 1 GB memory.
The runtime information for the experiment where D ¼ T
is shown in Fig. 6, where the light/orange line shows the total
runtime of Algorithm 1 for the 1,000 samples, and the black
line denotes the maximum runtime among them. The
runtime grows faster than exponentially with respect to the
number of tasks. However, most of the time is spent on a few
cases where solving (24) or (25) is time consuming. We
performed another set of experiments by setting a 60-second
IEEE TRANSACTIONS ON COMPUTERS,
VOL. 62,
NO. 4,
APRIL 2013
Fig. 6. Runtime to find the test set with/without timeout.
time limit to the MILP solver. For each instance of (24) or (25),
if the solver fails to find a feasible solution or prove
infeasibility in 60 seconds, we leave the points in the test
set (a safe, conservative assumption). The resulting runtimes
are shown for sets up to 33 tasks with dashed lines in Fig. 6.
The time limit to the solver may result in some residual
redundancy in the test set I 0 . However, the difference is very
small: up to n ¼ 15, I 0 and I are exactly the same; for n ¼ 16
to 20, I 0 contains 3, 21, 31, 30, and 38 more points,
respectively. The maximum percentage of residual redundancy in I 0 is 0.04 percent with n ¼ 18. Thus, enforcing a time
limit to the MILP solver allows avoiding long runtimes at the
price of a very small redundancy.
Also, to prove that a point is system-level redundant we
need to prove that (24) is infeasible. This is in general much
harder than to find a feasible C. For n ¼ 16, 17, 18, 19, 20,
the average runtimes for the cases where (24) is infeasible
are 490, 509, 1,021, 20,618, and 21,615 ms, respectively. Even
if we do not count the outliers (runtime 60 seconds), the
average runtime is 246, 321, 483, 834, 1,030 ms, respectively.
If (24) is feasible, the average runtime is much shorter: 15,
19, 23, 41, 67 ms, respectively.
9.3 An Automotive Case Study
We applied our algorithm to a case study consisting in the
optimization of multitask implementations of a Simulink
models with 90 function blocks executed at seven different
periods [13]. Functional blocks must be mapped for
execution into tasks and priorities must be assigned to tasks
so that all blocks meet their deadlines. Code generation tools
enforce the addition of extra buffering and delays whenever
there is a rate transition among functional blocks with a
possible preemption. The optimization objective is to
minimize additional buffers and delays by preventing
preemptions between communicating blocks with different
rates. The overall system utilization is 94.1 percent. The
function blocks communicate through 106 links, 37 from
high rate to low rate blocks which could require a rate
transition block with an additional memory buffer, 31 from
low to high rate blocks possibly requiring a rate transition
block with two additional memory buffers and an additional functional delay. Since task priority assignment is
among the optimization variables, Algorithm 2 is used to
find the test set for the exact definition of the feasibility
region.
The computation time of our reduced set of points takes
only 3.7 seconds. Using Algorithm 2, the total number of
points that are required to define the feasibility region for
this problem is 113, and the number of additional binary
ZENG AND DI NATALE: AN EFFICIENT FORMULATION OF THE REAL-TIME FEASIBILITY REGION FOR DESIGN OPTIMIZATION
variables to encode the disjunctive constraints is zero.
Indeed, knowledge on the worst case execution times in (24)
allows to check the feasibility of each task using only one
constraint. Under the hypothesis of DM assignment, the
method in [2] would require 561 points and 290 additional
binary variables for the definition of the feasibility region.
We then performed a comparison of the optimization
runtimes using the set in [2] and our set. When using the
set from [2], the solver cannot find a feasible solution in more
than 2 hours. Using our reduced set, the optimal solution can be
found in 6.8 seconds [14]. Hence, the 3.7 seconds spent in
removing redundancy in the set of points are worth hours of saved
optimization time.
To better show the effectiveness and the time advantage of
the proposed method over conventional search techniques,
we also implement a branch-and-bound method to solve the
problem. The problem essentially is to assign priority orders
to 90 function blocks; thus, there are 90!ð 1:5 10138 Þ
different solutions. By preassigning the priority orders
according to simple schedulability conditions and precedence constraints as in [14], there are about 2:1 1050
solutions remaining. This is too large a space to explore with
simple branch-and-bound method, even with the most
powerful computer today regardless how fast the feasibility
analysis is at each step. Therefore, we define a subset of the
original case study consisting of 18 functional blocks and 17
communication links. To compensate for the reduction in the
load, the utilization is scaled up to 95.7 percent. Among the
18!ð 2:8 1016 Þ possible priority assignments, 8:5 106
remain after the preprocessing stage where obvious nonfeasible solutions are pruned and some priority orders are
preassigned [14]. The schedulability analysis routine is then
called for 2:0 107 times. The total runtime is 26.7 seconds
for the branch-and-bound optimization using the set of
points from Algorithm 2, and 29.6 seconds using the set of
points from [2]. The runtime is 38.1 seconds with response
time-based analysis. As a comparison, the same problem can
be solved in less than 0.1 second using CPLEX. For larger
(realistic) systems, branch and bound with analysis at each
step may simply be inapplicable. A powerful solver like
CPLEX with many modern optimization techniques can
solve the problem much quicker, as in the full version of the
case study. It also shows that a small improvement on the
feasibility analysis can result in a huge difference in the
runtime of the solver.
9.4 Scheduling with Blocking Times
In this section, we present the results on task sets with
blocking times. The periods of the task sets are generated
similarly to the ones in Section 9.1; the deadlines are
assumed to be equal to the periods. We examine two cases.
In the first, blocking times are small, with each critical
section taking at most 5 percent of the period (B 5%T ). In
the second set, blocking times are larger (up to 40%T ).
Fig. 7 shows the amount of redundancy detected by our
method with respect to the sets P n and P of [2] for the
lowest priority task as well as the entire task set. For the
first set of experiments (B 5%T ), the percentage of
redundancy in P increases from 14.79 percent for n ¼ 5 to
65.76 percent for n ¼ 20. The second set of experiments,
with B 40%T , results in an even higher percentage of
redundancy, from 23.23 percent for n ¼ 5 to 72.26 percent
for n ¼ 20.
659
Fig. 7. Percentage of redundancy found in P n and P for task sets with
blocking times.
9.5 Preemption Threshold Scheduling Model
In this section, we present the results on systems scheduled
with a preemption threshold model. In Section 8, we argue
that an exact characterization of the feasibility region will be
exceedingly complex, and we define lower and upper
bounds to the region. Here, we attempt a quantification of
the difference between the exact region and its upper and
lower bounds, which corresponds to necessary-only (optimistic) and sufficient-only (pessimistic) conditions for
feasibility. Also, for the necessary-only condition, we perform experiments to assess the effectiveness of our algorithm
in finding the set of point pairs and to estimate the number of
points that are needed for the definition of the system
feasibility region. The sufficient-only condition is based on
the finish time only, and the effectiveness and efficiency of
the algorithm are similar to fully preemptive scheduling.
We generate applications consisting of random sets with
n ¼ 5 to 15 tasks. One thousand task configurations are
tried for each n. Priorities are assigned to tasks according to
the deadline-monotonic policy, and preemption thresholds
are uniformly distributed between the task priority and the
highest priority level in the system. The task periods are
randomly generated in the same way as in Section 9.1. Two
deadline settings are considered, D ¼ T , and D randomly
distributed between T =2 and T . All problems are solved
using CPLEX 12.1 on a machine with an Intel Xeon 3.0 GHz
CPU and 2 GB memory.
To quantify the difference between the exact feasibility
region and its approximation, for each of the 1,000 task
configuration, a number of task utilizations have been
generated by selecting execution times such that the system
utilization is uniformly distributed between 0 and 100 percent
(using the UUniFast algorithm in [3]). We count the numbers
N suf , N exact , and N nec that are feasible by the sufficient, exact,
and necessary tests respectively, until N exact reached 105 . The
difference between the exact and sufficient (necessary)
conditions as an indication of the amount of pessimism
(optimism) can be quantified by suf (
nec ) as below
suf ¼
N exact N suf
N nec N exact
nec
100%;
¼
100%:
N exact
N exact
Fig. 8 plots the number of feasible utilization sets for the
necessary-only and sufficient-only tests in the case of 1,000
task configurations of a 10-task system with D ¼ T . The
difference between the sufficient and exact conditions is
significant: of the 1,000 runs, 937 have N suf < 105 , with a
minimum of 45,077, and an average of 88,034. However, the
660
IEEE TRANSACTIONS ON COMPUTERS,
VOL. 62,
NO. 4,
APRIL 2013
Fig. 8. Number of task sets feasible for necessary and sufficient
conditions (10-tasks sets).
Fig. 10. Runtime of the algorithm (with and without the time limit) to find
the nonredundant set.
Fig. 9. Number of points for checking feasibility of all tasks with
preemption thresholds (10-tasks).
fully preemptive case, their average numbers of nonredundant points are roughly the same. In 452 task sets, fully
preemptive scheduling requires more points than preemption threshold scheduling, and in 492 cases it requires less.
The average redundancy with respect to the set I n in
Theorem 19 is always very high (>99:99%) for both D ¼ T
and D T .
The runtime of the algorithm for the case D ¼ T is shown
in Fig. 10, where the light line shows the total runtime for
the 1,000 configurations, and the dark line is the maximum
runtime among them. The runtime grows more than
exponentially with respect to n. Similar to the preemptive
case, we tried to limit the runtime of the solver for each
MILP problem to 60 seconds, trading a possible redundancy
for a shorter runtime. We were only able to process sets
with n 15. The difficulty does not originate from the
MILP problems (the time saved by the timeout is very
small), but from the huge number of initial point pairs
(quadratically more than the fully preemptive case). For
n ¼ 9; 10; 12; 13; 14; 15, the set I 0 obtained using a timeout in
the solver contains 52, 57, 1, 361, 28, and 143 more points
than the nonredundant set, respectively. For all the other n,
I 0 and I are identical. The maximum percentage of residual
redundancy in I 0 is 1.0 percent when n ¼ 13.
necessary-only test fares much better. The number of
feasible task sets for the necessary-only test is very close
to the ideal line at 100,000. Only in 109 out of 1,000 task
configurations, the optimistic test provides false results for
at least one task set, i.e., N nec > 105 . In 59 of these
configurations, there are less than 10 false positives, and
only in two configurations, the test fails for more than 1,000
utilization sets (N nec N exact > 1;000).
The small difference between N nec and N exact is also
confirmed for task configurations with n 6¼ 10. We tried n
from 5 to 15 for a total of 16,000 configurations. The average
value nec is lower than 0.021 percent, and the maximum
nec is 6.1 percent. The sufficient condition provides a much
easier formulation, but its use may easily result in a
suboptimal solution. The necessary condition is definitely
more complex, but the small difference between the
necessary and exact feasibility regions indicate a very good
chance that the solution obtained using the necessary-only
condition is also feasible with respect to the exact test.
To evaluate the effectiveness of the algorithm, Fig. 9
shows the number of point pairs that are needed to evaluate
the sufficient-only condition for 1,000 configurations of 10
tasks with D ¼ T . At most eight point pairs need to be
checked in 10.9 percent of the cases, 16 in 43.2 percent of
the cases, 32 points in 89.5 percent of the cases, and
64 points in 99.8 percent of the cases. Fig. 9 also plots the
number of points that are required for the same task set
assuming fully preemptive scheduling. Although the
number of initial points for the preemption threshold
scheduling is approximately the square of those for the
10 CONCLUSIONS
In the design of time-critical applications, schedulability
analysis results are used to define the task feasibility region
so that optimization techniques can be used to compute the
best design that satisfies the deadlines. In this paper, we
summarize possible approaches to the problem and provide
an improved feasibility analysis that opens the possibility
for an exact definition of the feasibility region which
requires an acceptable number of binary variables. We
demonstrate the efficiency and effectiveness of our algorithm by random task sets and industrial-size problems.
ACKNOWLEDGMENTS
This work is supported by NSERC Discovery Grant RGPIN
418741-12 and NSFC Project Grant #61070002.
ZENG AND DI NATALE: AN EFFICIENT FORMULATION OF THE REAL-TIME FEASIBILITY REGION FOR DESIGN OPTIMIZATION
REFERENCES
[1]
[2]
[3]
[4]
[5]
[6]
[7]
[8]
[9]
[10]
[11]
[12]
[13]
[14]
[15]
[16]
[17]
[18]
[19]
[20]
[21]
[22]
[23]
[24]
N. Audsley, A. Burns, M. Richardson, K. Tindell, and A.J.
Wellings, “Applying New Scheduling Theory to Static Priority
Pre-Emptive Scheduling,” Software Eng. J., vol. 8, no. 5, pp. 284292, Sept. 1993.
E. Bini and G.C. Buttazzo, “Schedulability Analysis of Periodic
Fixed Priority Systems,” IEEE Trans. Computers, vol. 53, no. 11,
pp. 1462-1473, Nov. 2004.
E. Bini and G.C. Buttazzo, “Measuring the Performance of
Schedulability Tests,” Real-Time Systems, vol. 30, nos. 1/2,
pp. 129-154, May 2005.
E. Bini, T.H. Châu Nguyen, P. Richard, and S.K. Baruah, “A
Response-Time Bound in Fixed-Priority Scheduling with Arbitrary Deadlines,” IEEE Trans. Computers, vol. 58, no. 2, pp. 279-286,
Feb. 2009.
A. Cervin, D. Henriksson, B. Lincoln, J. Eker, and K.E. Arzen,
“How Does Control Timing Affect Performance? Analysis and
Simulation of Timing Using Jitterbug and TrueTime,” IEEE
Control Systems Magazine, vol. 23, no. 3, pp. 16-30, June 2003.
A. Davare, Q. Zhu, M.D. Natale, C. Pinello, S. Kanajan, and A.
Sangiovanni-Vincentelli, “Period Optimization for Hard RealTime Distributed Automotive Systems,” Proc. 44th Design Automation Conf., pp. 278-283, 2007.
L. George, N. Riviere, and M. Spuri, “Preemptive and NonPreemptive Real-Time Uniprocessor Scheduling,” technical report, INRIA, 1996.
R. Ghattas and A.C. Dean, “Preemption Threshold Scheduling:
Stack Optimality, Enhancements and Analysis,” Proc. 13th RealTime and Embedded Technology and Applications Symp., pp. 147-157,
2007.
B. Grünbaum, Convex Polytopes, second ed., p. 52a. Springer, 2003.
A. Hamann, R. Racu, and R. Ernst, “Multi-Dimensional Robustness Optimization in Heterogeneous Distributed Embedded
Systems,” Proc. 13th Real-Time and Embedded Technology and
Applications Symp., pp. 269-280, 2007.
J.P. Lehoczky, L. Sha, and Y. Ding, “The Rate Monotonic
Scheduling Algorithm: Exact Characterization and Average Case
Behavior,” Proc. 10th Real-Time Systems Symp., pp. 166-171, 1989.
M. Di Natale, “Optimizing the Multitask Implementation of
Multirate Simulink Models,” Proc. 12th Real-Time and Embedded
Technology and Applications Symp., pp. 335-346, 2006.
M. Di Natale and V. Pappalardo, “Buffer Optimization in
Multitask Implementations of Simulink Models,” ACM Trans.
Embedded Computing Systems, vol. 7, no. 3, pp. 1-32, May 2008.
M. Di Natale, L. Guo, H. Zeng, and A. Sangiovanni-Vincentelli,
“Synthesis of Multi-Task Implementations of Simulink Models
with Minimum Delays,” IEEE Trans. Industrial Informatics, vol. 6,
no. 4, pp. 637-651, Nov. 2010.
A. Metzner and C. Herde, “RTSAT—An Optimal and Efficient
Approach to the Task Allocation Problem in Distributed Architectures,” Proc. 27th Real-Time Systems Symp., pp. 147-158, 2006.
A.K. Mok, “Fundamental Design Problems of Distributed Systems
for the Hard-Real-Time Environment,” PhD thesis, MIT, 1983.
M. Oral and O. Kettani, “Linearization Procedure for Quadratic
and Cubic Mixed-Integer Problems,” Operations Research, vol. 40,
no. S1, pp. 109-116, Jan./Feb. 1992.
“OSEK/VDX Operating System Specification Version 2.2.3,”
http://www.osek-vdx.org, Feb. 2005.
J. Regehr, “Scheduling Tasks with Mixed Preemption Relations for
Robustness to Timing Faults,” Proc. 23rd Real-Time Systems Symp.,
pp. 315-326, 2002.
L. Sha, R. Rajkumar, and J.P. Lehoczky, “Priority Inheritance
Protocols: An Approach to Real-Time Synchronization,” IEEE
Trans. Computers, vol. 39, no. 9, pp. 1175-1185, Sept. 1990.
M. Sjödin and H. Hansson, “Improved Response Time Analysis
Calculations,” Proc. 19th Real-Time Systems Symp., pp. 399-408,
1998.
W. Lamie, “Preemption-Threshold,” White Paper, Express Logic,
Inc., http://rtos.com/articles/18833, 2012.
M. Velasco, P. Marti, and E. Bini, “Control-Driven Tasks:
Modeling and Analysis,” Proc. 29th Real-Time Systems Symp.,
pp. 280-290, 2008.
Y. Wang and M. Saksena, “Scheduling Fixed-Priority Tasks with
Preemption Threshold,” Proc. Sixth Real-Time Computing Systems
and Applications, pp. 328-335, 1999.
661
[25] H. Zeng and M.D. Natale, “An Efficient Formulation of the RealTime Feasibility Region for Design Optimization,” TECIP technical report, Scuola Superiore S. Anna, Pisa, Aug. 2011.
[26] W. Zheng, M.D. Natale, C. Pinello, P. Giusto, and A. SangiovanniVincentelli, “Synthesis of Task and Message Activation Models in
Real-Time Distributed Automotive Systems,” Proc. Conf. Design,
Automation & Test in Europe, pp. 93-98, 2007.
[27] W. Zheng, Q. Zhu, M. Di Natale, and A. SangiovanniVincentelli, “Definition of Task Allocation and Priority Assignment in Hard Real-Time Distributed System,” Proc. Real-Time
System Symp., pp. 161-170, 2007.
[28] Q. Zhu, Y. Yang, E. Scholte, M. Di Natale, and A. SangiovanniVincentelli, “Optimizing Extensibility in Hard Real-Time Distributed Systems,” Proc. 15th Real-Time and Embedded Technology
and Applications Symp., pp. 275-284, 2009.
Haibo Zeng received the BE and ME degrees in
electrical engineering from Tsinghua University,
Beijing, China. He received the PhD degree in
electrical engineering and computer sciences
from University of California at Berkeley. He is
currently an assistant professor at McGill University, Canada. He was a senior researcher at
General Motors R&D until October 2011. His
research interests are design methodology,
analysis, and optimization for embedded systems, real-time systems, and cyber-physical systems. He is a member
of the IEEE.
Marco Di Natale received the PhD degree from
Scuola Superiore Sant’Anna in 1991 and has
been visiting researcher at the University of
California, Berkeley, in 2006 and 2008/2009. He
is currently an associate professor at the Scuola
Superiore Sant’Anna of Pisa, Italy, in which he
held a position as director of the Real-Time
Systems (ReTiS) Laboratory from 2003 to 2006.
He has been selected in 2006 by the Italian
Ministry of Research as the national representative in the mirror group of the ARTEMIS European Union Technology
platform. He has been a researcher in the area of real-time systems and
embedded systems for more than 15 years, being author or coauthor of
more than 100 scientific papers. He has been winner of four best paper
awards and the Archie T. Colwell award. He has served as program
committee member and has been an organizer of tutorials and special
sessions for the main conferences in the area, including the Real-time
Systems Symposium, the IEEE/ACM Design Automation Conference
(DAC), the Design Automation and Test in Europe (DATE) and the RealTime Application Symposium. He also served as program chair and
track chair for the RTAS conference, Automotive and Transportation
track chair of the 2010 DATE Conference and program chair for the
ICESS conference. He has been an associate editor for the IEEE
Transactions on CAD and the IEEE Embedded Systems Letters and is
currently in the editorial board of the IEEE Transactions on Industrial
Informatics. He is currently a senior member of the IEEE.
. For more information on this or any other computing topic,
please visit our Digital Library at www.computer.org/publications/dlib.

Download Report

An Efficient Formulation of the Real

Paperzz.com

Your Paperzz